DDoS attack on the Russian banks: what the traffic data showed

From November 8 to 12, websites of some of the largest Russian banks fell victim to heavy DDoS attacks. Initially, it was no indication of anything unusual – all well-known banks get attacked from time to time – but further developments have evolved in the manner that allowed us to suggest a high level of organization in regards to the series of attacks.

The first attacks that took place on November 8 affected two banks, but already at 4:00 pm Moscow time, similar attacks struck three more banks. A little later, a fourth bank was attacked.

On November 9 at 3 am, the attacks stopped for a while only to commence again in the evening with an attack on yet another bank. At approximately 5 am on November 10, a new wave of attacks occurred.

The largest number of attacks took place between 5 and 8 am on November 11 when, within the space of 10 minutes, eleven attacks occurred, which targeted various objects, namely, corporate websites of banks and online banking systems. All attacks lasted approximately one hour and were similar to the attacks registered in the previous days.

In the days to follow, no new attacks occurred, but some of the previously launched attacks continued until the morning of November 14.

Kaspersky Lab received first-hand information as events unfolded: some of the banks that were attacked are our customers, and they promptly switched their traffic to Kaspersky DDoS Prevention centers with a few more joining after events had started. This provided the analysts of Kaspersky Lab access to the patterns of the attacks and gave them an opportunity to draw a number of conclusions about their nature.

Attackers used combinations of various attack methods. They applied SYN Flood that exhausts operating system resources, as well as HTTP/HTTPS Flood that overloads the target Web server.

The longest attack in the series lasted 4 days 6 hours and 34 minutes;

The peak power of the attack was 660 thousand requests per second, while the average load on a corporate website of a major bank during business hours rarely exceeds 1 thousand requests per second;

A few botnets “specializing” in different types of attacks participated in the attack. Approximately 24 thousand unique bots have been blocked;

The traffic analysis showed that the leads pointing to Mirai, which prematurely appeared in the press, were not substantiated: one of the botnets was indeed built on the basis of IoT devices, but a different bot was used.

Bots that participated in the attacks are located in 30 different countries. More than half of them are in the United States, India, Taiwan and Israel.

The most powerful attacks started when it was early morning in Moscow, which seems illogical at first glance – the number of visitors to the target websites of banks is low at this time of day. This can be attributed to feeling out the target: the attackers started loading the websites with relatively simple SYN Flood and HTTP Flood attacks, thereby determining the possibilities of the protection systems to filter packets of trash traffic. The small number of legitimate visitors enabled them to quite accurately determine the frequency of requests necessary to create a denial of service situation.

Attacks against the banks protected by Kaspersky DDoS Prevention were not successful. Having recognized this, the attackers began to act in accordance with a more complex and demanding procedure – via HTTPS requests, and in some cases transferring the focus of the attacks onto Internet banking systems. Since the traffic of an HTTPS session is encrypted, it is impossible to analyze and filter it when located outside of the affected network. Thanks to the ability to analyze the traffic at the customer site (for this purpose, a separate “sensor” component is used), we received the statistical parameters of requests that were used to generate the filtering parameters directly in the cloud. In addition, the results of the analysis were forwarded to the IT services of the banks, which, if necessary, successfully generated counteraction measures on their side.

The carefully thought-out tactics, use of combined methodologies and scale of the event suggest a high level of organization among the attackers – the “job” was done by professionals. In regards to one of the banks, after all attacks were successfully dealt with, an elaborate attack method against the application level that took advantage of the web server vulnerability was used. This also points to the attackers being highly qualified.

It is difficult to say what the aims of the series of attacks were: it may have been blackmail, diverting attention from a hacking attack against banking systems, or political hacktivism. However, the fact that the attackers targeted the banks’ corporate websites first, and only then switched to remote maintenance systems if they were unsuccessful, allows us to conclude that the organizers were more interested in publicity rather than doing real damage to the financial institutions.

To a certain extent, our findings correlate with the reports that appeared in the press referring to the attacks being ordered from a certain DDoS service. According to its owner, the persons who ordered the attacks were unhappy with the influence that Russia allegedly had on the US Presidential election and the websites of major Russian banks were selected as high-profile targets whose operational difficulties would definitely be noticed.